In a recent development, the U.S. Securities and Exchange Commission (SEC) has filed a compelling complaint against SolarWinds Corporation and its Chief Information Officer (CIO), shedding light on the critical role of cybersecurity whistleblowers in safeguarding both companies and investors.
The SEC's complaint alleges that SolarWinds engaged in fraud and internal control failures, directly related to known cybersecurity risks and vulnerabilities. It contends that SolarWinds misled investors by overrepresenting its cybersecurity practices while downplaying or concealing known risks—a violation that underscores the SEC's commitment to enforcing cybersecurity-related securities regulations.
Gurbir S. Grewal, Director of the SEC's Division of Enforcement, emphasized the significance of implementing robust controls and transparently addressing cybersecurity concerns: "Today's enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company's 'crown jewel' assets but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns."
This enforcement action signifies a proactive stance against cybersecurity violations, even in cases where breaches or attacks have not occurred. It highlights that generic risk disclosures no longer suffice when companies are aware of heightened risks but omit them from public disclosures.
The complaint against SolarWinds reveals how the SEC applies antifraud and internal control rules to cybersecurity violations, reinforcing two crucial points:
1. Enforcement Action Beyond Breaches: The SEC is willing to take enforcement action for the failure to disclose cybersecurity vulnerabilities, irrespective of whether a breach or attack has occurred. This stance underscores the importance of proactive cybersecurity practices.
2. Specificity in Risk Disclosures: Generic and hypothetical cybersecurity risk disclosures are inadequate when a company is aware of elevated risks. The complaint against SolarWinds illustrates that companies must disclose known risks, ensuring their disclosures accurately reflect their cybersecurity posture.
Furthermore, the SEC's recent adoption of rules on cybersecurity risk management, strategy, governance, and incident disclosure further strengthens its regulatory toolkit. These rules, effective from December 2023, mandate disclosures of material cybersecurity incidents and provide a framework for assessing and managing cybersecurity risks.
Cybersecurity whistleblowers play a pivotal role in this landscape. Often positioned to identify vulnerabilities and recommend remedies, they can help prevent breaches and attacks. The SEC Whistleblower Program incentivizes such whistleblowers by offering awards for original information leading to successful enforcement actions exceeding $1 million in monetary sanctions.
Cybersecurity whistleblowers may receive awards ranging from 10% to 30% of total sanctions collected, with the option to submit tips anonymously if represented by an attorney. Federal and state whistleblower protection laws shield these individuals from retaliation, encouraging them to step forward and assist regulatory bodies in enforcing cybersecurity regulations.
In an era where data breaches and cyber threats loom large, the SEC's enforcement actions and whistleblower program underscore the pivotal role whistleblowers play in strengthening cybersecurity measures, ensuring transparency, and protecting the interests of investors and the public.
For more information regarding the SEC Cybersecurity Mandate effective December 2023, please contact us at www.FrameworkSecurity.com
Photo by Alexandru Zdrobău